Hacker finds an open redirect vulnerability in one of the domains and use it to have an open redirect in Facebook.

Facebook reply:

Thank you for sharing this information with us. It looks like you have set up an App that has the domain “www.mheducation.com” whitelisted, and this domain has an XSS vulnerability that allows you to redirect after that. An App owner setting a vulnerable site as their redirect is not within Facebook’s control. Further more the redirect to a malicious site happens off the Facebook domain. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.

Agradecemos que tenhas contactado o Facebook.

Jackson Security

Conclusion:

This open redirect working in other applications, affect Facebook application just like any other open redirect do. The idea of open redirect vulnerabilities is to use the trust a user has in a specific domain in this case I’m using Facebook domain.